session/checkuser.php (fce85eb) - webinterface.git

fce85ebdc6dc2378801f0df488adcb8e7cac57c8

webinterface => /webinterface bernd authored 17 years ago	`1) <?php`
Added license tags for CC0,... Bernd Wurst authored 12 years ago	`2) /* 3) This file belongs to the Webinterface of schokokeks.org Hosting 4)`
Change license from CC0 to... Hanno Böck authored 1 year ago	`5) Written by schokokeks.org Hosting, namely`
Added license tags for CC0,... Bernd Wurst authored 12 years ago	`6) Bernd Wurst <bernd@schokokeks.org> 7) Hanno Böck <hanno@schokokeks.org> 8)`
Change license from CC0 to... Hanno Böck authored 1 year ago	`9) This code is published under a 0BSD license.`
Added license tags for CC0,... Bernd Wurst authored 12 years ago	`10) 11) Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code. 12) */`
webinterface => /webinterface bernd authored 17 years ago	`13)`
Logging aktiviert bernd authored 16 years ago	`14) require_once('inc/base.php');`
webinterface => /webinterface bernd authored 17 years ago	`15) require_once('inc/debug.php'); 16) require_once('inc/error.php'); 17) 18) define('ROLE_ANONYMOUS', 0);`
Auch mailaccounts können si... bernd authored 16 years ago	`19) define('ROLE_MAILACCOUNT', 1);`
VMail-accounts können sich... bernd authored 16 years ago	`20) define('ROLE_VMAIL_ACCOUNT', 2); 21) define('ROLE_SYSTEMUSER', 4); 22) define('ROLE_CUSTOMER', 8); 23) define('ROLE_SYSADMIN', 16);`
Erlaube subusers, die nur Z... bernd authored 13 years ago	`24) define('ROLE_SUBUSER', 32);`
webinterface => /webinterface bernd authored 17 years ago	`25) 26) 27) // Gibt die Rolle aus, wenn das Passwort stimmt 28)`
Fix coding style with php-c... Hanno authored 5 years ago	`29) function find_role($login, $password, $i_am_admin = false)`
webinterface => /webinterface bernd authored 17 years ago	`30) {`
add brute force protection... Bernd Wurst authored 5 years ago	`31) if (!$i_am_admin) { 32) $failed = count_failed_logins(); 33) if ($failed > 5) { 34) global $title; 35) $title = ''; 36) system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!"); 37) } 38) }`
Fix coding style with php-c... Hanno authored 5 years ago	`39) // Domain-Admin? <not implemented> 40) // System-User? 41) $uid = (int) $login; 42) if ($uid == 0) { 43) $uid = null;`
Beachte Groß- und Kleinshre... Bernd Wurst authored 11 years ago	`44) }`
merge passkeys feature Bernd Wurst authored 5 months ago	45) $result = db_query("SELECT uid, username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid=:uid OR username=:login LIMIT 1;", [":uid" => $uid, ":login" => $login]);
Fix coding style with php-c... Hanno authored 5 years ago	46) if (@$result->rowCount() > 0) { 47) $entry = $result->fetch(PDO::FETCH_OBJ); 48) if (strcasecmp($entry->username, $login) == 0 && $entry->username != $login) { 49) // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein. 50) logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«."); 51) warning('Beachten Sie bei der Eingabe Ihrer Zugangsdaten bitte die Groß- und Kleinschreibung.'); 52) return null; 53) } 54) $db_password = $entry->password; 55) $hash = crypt($password, $db_password); 56) if (($entry->status == 0 && $hash == $db_password) \|\| $i_am_admin) { 57) $role = ROLE_SYSTEMUSER; 58) if ($entry->primary) { 59) $role = $role \| ROLE_CUSTOMER; 60) } 61) if ($entry->admin) { 62) $role = $role \| ROLE_SYSADMIN; 63) } 64) logger(LOG_INFO, "session/checkuser", "login", "logged in systemuser »{$login}«."); 65) return $role; 66) } 67) logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing useraccount »{$login}«."); 68) } else { 69) logger(LOG_WARNING, "session/checkuser", "login", "did not find useraccount »{$login}«. trying other roles...");
* Initialisierung der Sessi... bernd authored 16 years ago	`70) }`
Fix coding style with php-c... Hanno authored 5 years ago	`71) 72) // Customer? 73) $customerno = (int) $login; 74) $pass = sha1($password);`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`75) $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=:customerno AND passwort=:pass", [":customerno" => $customerno, ":pass" => $pass]);`
Fix coding style with php-c... Hanno authored 5 years ago	`76) if ($i_am_admin) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`77) $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=?", [$customerno]);`
Fix coding style with php-c... Hanno authored 5 years ago	`78) } 79) if (@$result->rowCount() > 0) { 80) return ROLE_CUSTOMER; 81) } 82) 83) // Sub-User 84)`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`85) $result = db_query("SELECT password FROM system.subusers WHERE username=?", [$login]);`
Fix coding style with php-c... Hanno authored 5 years ago	86) if (@$result->rowCount() > 0) { 87) $entry = $result->fetch(PDO::FETCH_OBJ); 88) $db_password = $entry->password; 89) // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser 90) if (hash("sha1", $password) == $db_password \|\| hash("sha256", $password) == $db_password \|\| $i_am_admin) { 91) logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«."); 92) return ROLE_SUBUSER; 93) } 94) logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«."); 95) } 96) 97) 98) // Mail-Account 99) $account = $login;
Fix not operator (!) spaces Hanno Böck authored 7 months ago	`100) if (!strstr($account, '@')) {`
Spaces between string conca... Hanno Böck authored 6 months ago	`101) $account .= '@' . config('masterdomain');`
Login am Webiterface mit Go... Bernd Wurst authored 11 years ago	`102) }`
Fix coding style with php-c... Hanno authored 5 years ago	`103) if (!$i_am_admin && have_module('webmailtotp')) { 104) require_once('modules/webmailtotp/include/totp.php'); 105) if (account_has_totp($account)) { 106) if (check_webmail_password($account, $password)) { 107) $_SESSION['totp_username'] = $account; 108) $_SESSION['totp'] = true;`
merge passkeys feature Bernd Wurst authored 5 months ago	`109) show_page('totp-login');`
Fix coding style with php-c... Hanno authored 5 years ago	`110) die(); 111) } else { 112) return null; 113) } 114) }`
Login am Webiterface mit Go... Bernd Wurst authored 11 years ago	`115) }`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`116) $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account=?", [$account]);`
Fix coding style with php-c... Hanno authored 5 years ago	`117) if (@$result->rowCount() > 0) { 118) $entry = $result->fetch(PDO::FETCH_OBJ); 119) $db_password = $entry->cryptpass; 120) $hash = crypt($password, $db_password); 121) if ($hash == $db_password \|\| $i_am_admin) { 122) logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«."); 123) return ROLE_MAILACCOUNT; 124) } 125) logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing e-mail-account »{$account}«.");`
Auch mailaccounts können si... bernd authored 16 years ago	`126) }`
remove whitespace in empty... Hanno authored 5 years ago	`127)`
Fix coding style with php-c... Hanno authored 5 years ago	`128) // virtueller Mail-Account 129) $account = $login;`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`130) $result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account=?", [$account]);`
Fix coding style with php-c... Hanno authored 5 years ago	`131) if (@$result->rowCount() > 0) { 132) $entry = $result->fetch(PDO::FETCH_OBJ); 133) $db_password = $entry->cryptpass; 134) $hash = crypt($password, $db_password); 135) if ($hash == $db_password \|\| $i_am_admin) { 136) logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«."); 137) return ROLE_VMAIL_ACCOUNT; 138) } 139) logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing virtual e-mail-account »{$account}«.");`
VMail-accounts können sich... bernd authored 16 years ago	`140) }`
remove whitespace in empty... Hanno authored 5 years ago	`141)`
Auch mailaccounts können si... bernd authored 16 years ago	`142) 143)`
Fix coding style with php-c... Hanno authored 5 years ago	`144) // Nothing? 145) return null;`
webinterface => /webinterface bernd authored 17 years ago	`146) } 147)`
show a warning on the start... Bernd Wurst authored 4 years ago	`148) function is_locked() 149) { 150) $result = null; 151) if (isset($_SESSION['customerinfo']['customerno'])) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`152) $result = db_query("SELECT gesperrt FROM kundendaten.kunden WHERE id=?", [$_SESSION['customerinfo']['customerno']]);`
show a warning on the start... Bernd Wurst authored 4 years ago	`153) } elseif (isset($_SESSION['userinfo']['uid'])) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`154) $result = db_query("SELECT (SELECT gesperrt FROM kundendaten.kunden WHERE id=useraccounts.kunde) AS gesperrt FROM system.useraccounts WHERE uid=?", [$_SESSION['userinfo']['uid']]);`
show a warning on the start... Bernd Wurst authored 4 years ago	`155) } 156) if ($result) { 157) $line = $result->fetch(); 158) if ($line['gesperrt'] == 1) { 159) return true; 160) } 161) } 162) return false; 163) } 164)`
webinterface => /webinterface bernd authored 17 years ago	`165)`
* Initialisierung der Sessi... bernd authored 16 years ago	`166) function get_customer_info($customer)`
webinterface => /webinterface bernd authored 17 years ago	`167) {`
Fix not operator (!) spaces Hanno Böck authored 7 months ago	`168) if (!$_SESSION['role'] & ROLE_CUSTOMER) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`169) return [];`
Fix coding style with php-c... Hanno authored 5 years ago	`170) }`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`171) $ret = [];`
Fix coding style with php-c... Hanno authored 5 years ago	`172) $customerno = (int) $customer; 173) if ($customerno != 0) {`
Spaces between string conca... Hanno Böck authored 6 months ago	`174) DEBUG('Looking up customerinfo for customer no. ' . $customerno);`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`175) $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden WHERE id=?", [$customerno]);`
Fix coding style with php-c... Hanno authored 5 years ago	`176) } else { 177) $username = $customer;`
Spaces between string conca... Hanno Böck authored 6 months ago	`178) DEBUG('looking up customer info for username ' . $username);`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`179) $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", [$username]);`
Fix coding style with php-c... Hanno authored 5 years ago	`180) } 181) if (@$result->rowCount() == 0) { 182) system_failure("Konnte Kundendaten nicht auslesen!"); 183) } 184) $data = $result->fetch(); 185) DEBUG($data); 186) $ret['customerno'] = $data['id']; 187) $ret['title'] = $data['anrede']; 188) $ret['company'] = $data['firma']; 189) $ret['name'] = $data['name']; 190) $ret['email'] = $data['email'];`
remove whitespace in empty... Hanno authored 5 years ago	`191)`
Fix coding style with php-c... Hanno authored 5 years ago	`192) return $ret;`
webinterface => /webinterface bernd authored 17 years ago	`193) } 194) 195)`
Erlaube subusers, die nur Z... bernd authored 13 years ago	`196) function get_subuser_info($username) 197) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`198) $result = db_query("SELECT uid, modules FROM system.subusers WHERE username=?", [$username]);`
Fix coding style with php-c... Hanno authored 5 years ago	`199) if ($result->rowCount() < 1) { 200) logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«"); 201) system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator'); 202) } 203) $data = $result->fetch(); 204) $userinfo = get_user_info($data['uid']); 205) $userinfo['modules'] = $data['modules']; 206) return $userinfo;`
Erlaube subusers, die nur Z... bernd authored 13 years ago	`207) } 208) 209)`
webinterface => /webinterface bernd authored 17 years ago	`210) function get_user_info($username) 211) {`
Fix coding style with php-c... Hanno authored 5 years ago	`212) $result = db_query("SELECT kunde AS customerno, username, uid, homedir, name, server`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`213) FROM system.v_useraccounts WHERE username=:username OR uid=:username", [":username" => $username]);`
Fix coding style with php-c... Hanno authored 5 years ago	`214) if ($result->rowCount() < 1) { 215) logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«"); 216) system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator'); 217) } 218) $val = @$result->fetch(PDO::FETCH_OBJ);`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`219) return [`
webinterface => /webinterface bernd authored 17 years ago	`220) 'username' => $val->username, 221) 'customerno' => $val->customerno, 222) 'uid' => $val->uid, 223) 'homedir' => $val->homedir,`
IPv6-Option nur anzeigen we... bernd authored 13 years ago	`224) 'server' => $val->server,`
webinterface => /webinterface bernd authored 17 years ago	`225) 'name' => $val->name,`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`226) ];`
webinterface => /webinterface bernd authored 17 years ago	`227) } 228)`
Kunden-Status wird benutzt... bernd authored 16 years ago	`229) function set_customer_verified($customerno) 230) {`
Fix coding style with php-c... Hanno authored 5 years ago	`231) $customerno = (int) $customerno;`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`232) db_query("UPDATE kundendaten.kunden SET status=0 WHERE id=?", [$customerno]);`
Fix coding style with php-c... Hanno authored 5 years ago	`233) logger(LOG_INFO, "session/checkuser", "register", "set customer's status to 0.");`
Kunden-Status wird benutzt... bernd authored 16 years ago	`234) } 235) 236) function set_customer_lastlogin($customerno) 237) {`
Fix coding style with php-c... Hanno authored 5 years ago	`238) $customerno = (int) $customerno;`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`239) db_query("UPDATE kundendaten.kunden SET lastlogin=NOW() WHERE id=?", [$customerno]);`
Kunden-Status wird benutzt... bernd authored 16 years ago	`240) } 241)`
webinterface => /webinterface bernd authored 17 years ago	`242) function set_customer_password($customerno, $newpass) 243) {`
Fix coding style with php-c... Hanno authored 5 years ago	`244) $customerno = (int) $customerno; 245) $newpass = sha1($newpass);`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`246) db_query("UPDATE kundendaten.kunden SET passwort=:newpass WHERE id=:customerno", [":newpass" => $newpass, ":customerno" => $customerno]);`
Fix coding style with php-c... Hanno authored 5 years ago	`247) logger(LOG_INFO, "session/checkuser", "pwchange", "changed customer's password.");`
Passwort-Ändern geht jetzt... bernd authored 13 years ago	`248) } 249) 250) function set_subuser_password($subuser, $newpass) 251) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`252) $args = [":subuser" => $subuser,`
* Weitere Module auf prepar... Bernd Wurst authored 10 years ago	`253) ":uid" => (int) $_SESSION['userinfo']['uid'],`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`254) ":newpass" => sha1($newpass), ];`
Fix coding style with php-c... Hanno authored 5 years ago	`255) db_query("UPDATE system.subusers SET password=:newpass WHERE username=:subuser AND uid=:uid", $args); 256) logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password.");`
webinterface => /webinterface bernd authored 17 years ago	`257) } 258) 259) function set_systemuser_password($uid, $newpass) 260) {`
Fix coding style with php-c... Hanno authored 5 years ago	`261) $uid = (int) $uid; 262) require_once('inc/base.php');`
Spaces between string conca... Hanno Böck authored 6 months ago	`263) $newpass = crypt($newpass, '$6$' . random_string(8) . '$');`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`264) db_query("UPDATE system.passwoerter SET passwort=:newpass WHERE uid=:uid", [":newpass" => $newpass, ":uid" => $uid]);`
Fix coding style with php-c... Hanno authored 5 years ago	`265) logger(LOG_INFO, "session/checkuser", "pwchange", "changed user's password.");`
webinterface => /webinterface bernd authored 17 years ago	`266) } 267)`
* Initialisierung der Sessi... bernd authored 16 years ago	`268)`
Fix coding style with php-c... Hanno authored 5 years ago	`269) function user_for_mailaccount($account)`
Zeige User-Infos beim Login... Bernd Wurst authored 11 years ago	`270) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`271) $result = db_query("SELECT uid FROM mail.courier_mailaccounts WHERE account=?", [$account]);`
Fix coding style with php-c... Hanno authored 5 years ago	`272) if ($result->rowCount() != 1) { 273) system_failure('Diese Adresse ist herrenlos?!'); 274) } 275) $tmp = $result->fetch(); 276) return $tmp['uid'];`
Zeige User-Infos beim Login... Bernd Wurst authored 11 years ago	`277) } 278) 279) function user_for_vmail_account($account) 280) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`281) $result = db_query("SELECT useraccount FROM mail.v_vmail_accounts WHERE CONCAT_WS('@', local, domainname)=?", [$account]);`
Fix coding style with php-c... Hanno authored 5 years ago	`282) if ($result->rowCount() != 1) { 283) system_failure('Diese Adresse ist herrenlos?!'); 284) } 285) $tmp = $result->fetch(); 286) return $tmp['useraccount'];`
Zeige User-Infos beim Login... Bernd Wurst authored 11 years ago	`287) } 288) 289)`
* Initialisierung der Sessi... bernd authored 16 years ago	`290) function setup_session($role, $useridentity) 291) {`
Fix coding style with php-c... Hanno authored 5 years ago	`292) session_regenerate_id(); 293) $_SESSION['role'] = $role; 294) if ($role & ROLE_SUBUSER) { 295) DEBUG("We are a sub-user"); 296) $info = get_subuser_info($useridentity); 297) $_SESSION['userinfo'] = $info; 298) $_SESSION['restrict_modules'] = explode(',', $info['modules']); 299) $_SESSION['role'] = ROLE_SYSTEMUSER \| ROLE_SUBUSER; 300) $_SESSION['subuser'] = $useridentity;`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`301) $data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username=?", [$info['username']]);`
Fix coding style with php-c... Hanno authored 5 years ago	`302) if ($entry = $data->fetch()) { 303) if ($entry['kundenaccount'] == 1) { 304) $customer = get_customer_info($_SESSION['userinfo']['username']); 305) $_SESSION['customerinfo'] = $customer; 306) $_SESSION['role'] = ROLE_SYSTEMUSER \| ROLE_CUSTOMER \| ROLE_SUBUSER; 307) } 308) } 309) logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");`
Subuser sollen nicht automa... Bernd Wurst authored 10 years ago	`310) }`
Fix coding style with php-c... Hanno authored 5 years ago	311) if ($role & ROLE_SYSTEMUSER) { 312) DEBUG("We are system user"); 313) $info = get_user_info($useridentity); 314) $_SESSION['userinfo'] = $info; 315) logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«"); 316) $useridentity = $info['customerno']; 317) } 318) if ($role & ROLE_CUSTOMER) { 319) $info = get_customer_info($useridentity); 320) $_SESSION['customerinfo'] = $info; 321) if (!isset($_SESSION['admin_user'])) { 322) set_customer_lastlogin($info['customerno']); 323) } 324) logger(LOG_INFO, "session/start", "login", "logged in customer no »{$info['customerno']}«"); 325) } 326) if ($role & ROLE_MAILACCOUNT) { 327) $id = $useridentity;
Fix not operator (!) spaces Hanno Böck authored 7 months ago	`328) if (!strstr($id, '@')) {`
Spaces between string conca... Hanno Böck authored 6 months ago	`329) $id .= '@' . config('masterdomain');`
Fix coding style with php-c... Hanno authored 5 years ago	`330) } 331) $uid = user_for_mailaccount($id); 332) $_SESSION['mailaccount'] = $id; 333) $_SESSION['userinfo'] = get_user_info($uid); 334) DEBUG("We are mailaccount: {$_SESSION['mailaccount']}"); 335) } 336) if ($role & ROLE_VMAIL_ACCOUNT) { 337) $id = $useridentity; 338) $uid = user_for_vmail_account($id); 339) $_SESSION['mailaccount'] = $id; 340) $_SESSION['userinfo'] = get_user_info($uid); 341) DEBUG("We are virtual mailaccount: {$_SESSION['mailaccount']}");`
Setze lastlogin nur bei Nic... bernd authored 13 years ago	`342) }`
Fix not operator (!) spaces Hanno Böck authored 7 months ago	`343) if (!($role & ROLE_CUSTOMER)) {`
Codingstyle PSR12 + array s... Hanno Böck authored 2 years ago	`344) $_SESSION['customerinfo'] = [];`
Lösche alte Kundendaten aus... Bernd Wurst authored 4 years ago	`345) }`